Clients must use HTTP basic authentication to authenticate to the Configuration API. If the username value is not a distinguished name (DN), then it resolves to a DN value using the identity mapper associated with the Configuration servlet. By default, the Configuration API uses an identity mapper that allows an entry’s UID value to be used as a username. To customize this behavior, either customize the default identity mapper or specify a different identity mapper using the Configuration servlet’s identity-mapper property. The following code provides an example.

$ bin/dsconfig set-http-servlet-extension-prop \  
  --extension-name Configuration \  
  --set "identity-mapper:Alternative Identity Mapper”


To access configuration information, users must have the appropriate privileges:

  • To access the cn=config backend, users must have the bypass-acl privilege or be allowed access to the configuration using an ACI.
  • To read configuration information, users must have the config-read privilege.
  • To update the configuration, users must have the config-write privilege.